Redazione RHC : 13 October 2025 19:09
A critical vulnerability has been identified in the AMD SEV-SNP hardware security architecture, impacting major cloud providers (AWS, Microsoft Azure, and Google Cloud) . This flaw allows malicious hypervisors to compromise encrypted virtual machines and gain full access to their memory.
The attack, dubbed RMPocalypse , undermines the fundamental confidentiality and integrity guarantees on which the SEV-SNP trusted execution model is based.
The research, presented at the ACM CCS 2025 conference in Taipei, details how a vulnerability is exploited during the initialization of SEV-SNP’s key structure, the Reverse Map Table (RMP) . This table maps host physical addresses to guest virtual pages and is responsible for preventing page-spoofing attacks known from previous generations of SEV and SEV-ES. However, the RMP itself does not yet exist at boot time and therefore cannot protect itself from writes from x86 kernels running concurrently with the initialization process.
The vulnerability is tracked as CVE-2025-0033 (CVSS score: 8.2) and affects AMD processors based on the Zen 3, Zen 4, and Zen 5 architectures, including EPYC server chips actively used in cloud infrastructure. The problem is a vicious circle: the RMP is supposed to protect itself from modifications, but during the initial setup phase, this protection is not yet active . Management of this phase is delegated to the Platform Security Processor (PSP), a coprocessor based on the ARM architecture. It creates barriers in the form of Trusted Memory Regions (TMRs) on the memory controller and also prevents x86 cores from writing to memory. However, as researchers Benedikt Schlüter and Shweta Shinde from ETH Zurich have shown, these measures are insufficient.
The asynchronous operation of x86 cores allows them to write dirty cache lines to RMP memory before the PSP triggers full protection . When the TMRs are cleared after initialization, these uncleared writes are flushed to DRAM, overwriting the RMP table with arbitrary values.
Experiments conducted on the EPYC 9135 (Zen 5), 9124 (Zen 4), and 7313 (Zen 3) confirmed that overwrites occur without errors, especially on Zen 3, where consistency issues exacerbate the situation. Although the PSP firmware contains hints of protection mechanisms such as cache flushing, the lack of a global TLB flush and the closed nature of some components prevent full protection.
The RMPocalypse attack allows attackers to place protected pages in a state where the hypervisor can freely modify them. This allows for four types of attacks:
Therefore, SEV-SNP completely loses its protective properties under untrusted hypervisor conditions. This is critical for tasks that process sensitive data, from enterprise applications to AI models and cloud storage.
AMD confirmed the vulnerability and announced it is working on patches, but at the time of publication, fixes for affected processors are not available. As a temporary workaround, researchers propose reconfiguring core-level barriers, including pre-validating caches before removing the TMR or forcing a global cache and flushing the TLB after completing RMP configuration. For Zen 3, this is complicated by the need for additional synchronization due to consistency issues.
RMPocalypse joins the CacheWarp and Heckler attacks in demonstrating how vulnerable even the most advanced confidential computing technologies are. Although AMD has partially open-sourced the PSP firmware, proprietary components still hinder its comprehensive analysis and mitigation. Since the vulnerability can be exploited in less than 234 milliseconds during the SNPINITEX phase, trust in hardware security mechanisms needs to be reevaluated.
Redazione